Powered by Jitbit .Net Forum free trial version. dismiss

HomeInteroperability

Interoperability with RADIUS clients & servers

TekRadius - AD Groups and 2FAGA with parallels RAS Messages in this topic - RSS

sgs_hv
sgs_hv
Posts: 9


20.07.2018
sgs_hv
sgs_hv
Posts: 9
I have followed the instructions from https://www.kaplansoft.com/tekradius/Docs/Parallels-2FA.pdf and https://www.kaplansoft.com/tekradius/Docs/Google-Authenticator.pdf. to install authentication in parallels RAS via GA.
I have not understand how to make the web portal (to initiate GA secret) available to the groups members because he attributes http-user-name and http-user-password are only available in the user context. The user are able to login in the TekRadius http portal but the link to initiate the GA-secret isn't there. If I make TekRadius local user all things are ok. What should I do? Have I to import all AD users to TekRadius to manage the the GA secrets?
0 link
Admin
Admin
Administrator
Posts: 4992


20.07.2018
Admin
Admin
Administrator
Posts: 4992
Hi,

Groups RAS-RDP-Access and Access-2FA are Active Directory Groups and they must exists in AD mentioned in https://www.kaplansoft.com/tekradius/Docs/Parallels-2FA.pdf.
User will be authenticated by GA in second pahes must be in Access-2FA. TekRADIUS HTTP console should display GA initiater icon when you connect HTTP console with AD username and password.

Best regards,

Yasin KAPLAN
0 link
sgs_hv
sgs_hv
Posts: 9


23.07.2018
sgs_hv
sgs_hv
Posts: 9
Hello,
yes. In this way I've understoud the instructions. But my TekRadius log shows no Group validation yet. The only thing I see is that TekRadius proxy invokes btw. tests a AD login:


23.07.2018 13:36:57.468 - RadAuth reply to : 195.222.207.207:49745 (Failure)
Size : 69
Identifier : 1
Attributes :

Reply-Message = Windows Active Directory authentication failure

23.07.2018 13:36:57.483 - (ADProxy) Authentication is successful for user 'sgs.local\v' [xxxxxxxx].

23.07.2018 13:36:57.483 - Check items control for user 'v' - Start (Default) [ActiveDirectory].

23.07.2018 13:36:57.483 - Check items control for user 'v' - Stop (Default).

23.07.2018 13:36:57.483 - Active Directory authentication successful for user 'v'

and if the user exists in AD he is able to connect. No matter in which groups the user is placed.

Best regards,

Hartmut V.

23.07.2018 13:36:57.483 - Fetching Success-Reply items for user 'v' - Start.

23.07.2018 13:36:57.483 - Fetching Success-Reply items for user 'v' - Stop.
0 link
Admin
Admin
Administrator
Posts: 4992


23.07.2018
Admin
Admin
Administrator
Posts: 4992
What is the primary active directory domain for user v?
0 link
sgs_hv
sgs_hv
Posts: 9


23.07.2018
sgs_hv
sgs_hv
Posts: 9
Hello,

User v is only member in sgs.local btw SGS in preWin2000. TekRadius service is running under sgs\administrator account.

Best regards

Hartmut V.
0 link
Admin
Admin
Administrator
Posts: 4992


23.07.2018
Admin
Admin
Administrator
Posts: 4992
Sorry the correct question is "What is the primary active directory group for user v?" It seems that TekRADIUS cannot obtain primary group name for user v or primary group has not an group entry in TekRADIUS group profiles.
0 link
sgs_hv
sgs_hv
Posts: 9


23.07.2018
sgs_hv
sgs_hv
Posts: 9
Hello,

user v's primary AD-Group is RAS-FA this Group is defined as AD-Group in the TekRadius Group RAS-RDP-Access-2FA-01

My TekRadius Group definition:


"GroupID";"Attribute";"AttrType";"Val"
"Default";"ietf|1";"0";"Default"
"RAS-RDP-Access-01";"ietf|1";"0";"RAS-RDP-Access-01"




"RAS-RDP-Access-2FA-01";"ietf|1";"0";"RAS-RDP-Access-2FA"
"End";"ietf|1";"0";"RAS-RDP-Access-2FA-GA"
"RAS-RDP-Access-01";"ietf|4";"0";"195.222.207.29"
"RAS-RDP-Access-2FA-01";"ietf|4";"0";"195.222.207.29"
"RAS-RDP-Access-01";"kaplansoft|20";"0";"RAS-RDP"
"End";"ietf|1";"0";"End"
"End";"kaplansoft|13";"0";"End"
"RAS-RDP-Access-01";"kaplansoft|36";"0";"0"
"RAS-RDP-Access-01";"kaplansoft|13";"0";"RAS-RDP-Access-2FA-01"
"RAS-RDP-Access-2FA-01";"kaplansoft|36";"0";"1"
"RAS-RDP-Access-2FA-01";"kaplansoft|20";"0";"RAS-2FA"
"RAS-RDP-Access-2FAGA-01";"ietf|1";"0";"RAS-RDP-Access-2FAGA"
"RAS-RDP-Access-2FAGA-01";"ietf|4";"0";"195.222.207.29"
"RAS-RDP-Access-2FAGA-01";"kaplansoft|13";"0";"End"
"RAS-RDP-Access-2FAGA-01";"kaplansoft|4";"0";"15"
"RAS-RDP-Access-2FA-01";"kaplansoft|13";"0";"RAS-RDP-Access-2FAGA-0Best regards


Hartmut V.
0 link
Admin
Admin
Administrator
Posts: 4992


23.07.2018
Admin
Admin
Administrator
Posts: 4992
You must have group named RAS-FA in TekRADIUS group profiles (This corresponds RAS-RDP-Access group in https://www.kaplansoft.com/tekradius/Docs/Parallels-2FA.pdf doucment).
0 link
sgs_hv
sgs_hv
Posts: 9


24.07.2018
sgs_hv
sgs_hv
Posts: 9
Hello,
in the meantime I have deleted the content of the groups table. And definied all groups with their attributes again. It seems there was a mistake in group renaming in my 1st tries.
Now, after redefining, the mechanism for the authentificatin seems to ok.

24.07.2018 13:55:15.042 - RadAuth req. from : x.x.x.x:65424 [UDP]

Size : 82 / 82
Identifier : 1
Attributes :

User-Name = v
NAS-IP-Address = x.x.x.29
State = B4708F9841EFD949B8D08A260DC9E27E

24.07.2018 13:55:15.042 - GoogleAuthenticator Authentication commencing for user 'v'

24.07.2018 13:55:15.042 - Check items control for user 'v' - Start (RAS-2FAGA) [GoogleAuthenticator].

24.07.2018 13:55:15.042 - User profile 'v', configured for Google Authenticator but it has not been initialized.

24.07.2018 13:55:15.042 - Check items control for user 'v' - Stop (RAS-2FAGA).

24.07.2018 13:55:15.042 - GoogleAuthenticator Authentication commencing for user 'v'

24.07.2018 13:55:15.042 - Check items control for user 'v' - Start (wired) [GoogleAuthenticator].

24.07.2018 13:55:15.042 - User profile 'v', configured for Google Authenticator but it has not been initialized.

24.07.2018 13:55:15.042 - Check items control for user 'v' - Stop (wired).

24.07.2018 13:55:15.042 - Fetching Failure-Reply items for user 'v' - Start.

24.07.2018 13:55:15.042 - Fetching Failure-Reply items for user 'v' - Stop.

24.07.2018 13:55:15.042 - Generating Reply Packet - Start.

24.07.2018 13:55:15.042 - Generating Reply Packet - Stop.

But if I log in to the http Interface there are two possibilities with the user v btw. domain\v there is the http admin panel shown, with the user v.domain.local a user interface is shown but nowhere is the GA-initiator icon.

Best regards

Hartmut V.
0 link
Admin
Admin
Administrator
Posts: 4992


24.07.2018
Admin
Admin
Administrator
Posts: 4992
TekRADIUS will display administrative HTTP interface if the user in AD domain admin group or an Administrator. I recommend you to create an ordinary user in AD and make tests with that user. You should enter username in domain\v or v@domain.local format.
0 link
sgs_hv
sgs_hv
Posts: 9


24.07.2018
sgs_hv
sgs_hv
Posts: 9
Hello,

now I have removed the user v from any adminrative group.
The http login gives now status [user] for the account v.

24.07.2018 16:09:55.393 - Windows Authentication is successful for user 'v'.
24.07.2018 16:09:55.693 - HTTP Client authorized (192.168.212.6); 'v' [User]

But nevertheless the GA-initaator icon is not present.

Best regards

Hartmut V.
0 link
Admin
Admin
Administrator
Posts: 4992


24.07.2018
Admin
Admin
Administrator
Posts: 4992
What is the primary AD group of user v? DO you have a group profile for this group in TekRADIUS group profiles and if so if there is Authentication-Method = Google-Authenticator as a check attribute in it?
0 link
sgs_hv
sgs_hv
Posts: 9


24.07.2018
sgs_hv
sgs_hv
Posts: 9
The system ask to input an OTP through parallels RAS.
The dialog box shows Method TekRadius Challange.
The primary user group of user v is RAS-2FA. There is a group definition to check for users in these group. the group definition says next group RAS-2FAGA and there is an attribute check google-authenticator.
edited by sgs_hv on 24.07.2018
0 link
Admin
Admin
Administrator
Posts: 4992


24.07.2018
Admin
Admin
Administrator
Posts: 4992
What is the primary AD group of user v? Do you have a group profile for this group in TekRADIUS group profiles and if so if there is Authentication-Method = Google-Authenticator as a check attribute in it?
0 link
sgs_hv
sgs_hv
Posts: 9


25.07.2018
sgs_hv
sgs_hv
Posts: 9
Hello,

the primary user group of user v is RAS-2FA. There is a group definition to check for users in these group. the group definition says next group RAS-2FAGA and there is an attribute check google-authenticator.



Best regards Hartmut V.
0 link
Admin
Admin
Administrator
Posts: 4992


25.07.2018
Admin
Admin
Administrator
Posts: 4992
Hi,

You need two extra AD groups in your AD; Access-2FA for Google-Authenticator after AD authentication and a dummy group called TekRADIUS-Default.

Group profile configuration in TekRADIUS;

TekRADIUS Group "Default" (This is entry group)
Active-Directory-Group = TekRADIUS-Default (Check)
Next-Group = RAS-RDP-Access (Check)

TekRADIUS Group "RAS-RDP-Access" (This one authenticates plain AD users, falls back to RAS-RDP-Access-2FA if authentication fails)
Authenication-Method = Active-Directory (Check)
Next-Group = RAS-RDP-Access-2FA

TekRADIUS Group "RAS-RDP-Access-2FA" (Sends challange for Google-Authenticator phase if AD authentication is successful)
Active-Directory-Group = Access-2FA (Check)
Next-Group = RAS-RDP-Access-2FAGA (Check)
Success-Reply-Type = Challenge (Check)

TekRADIUS Group "RAS-RDP-Access-2FAGA" (This is the final phase for Google-Authenticator)
Authentication-Method = Google-Authenticator (Check)

Primary group for user v must be Access-2FA in this configuration and TekRADIUS HTTP interface should display GA initiator icon.

Best regards,

Yasin KAPLAN
edited by Admin on 1.08.2018
0 link
sgs_hv
sgs_hv
Posts: 9


25.07.2018
sgs_hv
sgs_hv
Posts: 9
Hello,
I've had success. Thx. The group configuration on NT Domain and TekRadius side - both had been all well after your hints.
But the great initial problem was still alive the system wants to initiate a GA check, but i haven't had a GA secret, because there was no png.
I have made a workaround. I logging in the Webinterface with the user v and call from the current Websession the URL with /qr?user=v , the png was shown and i am able to
scan the secret with the GA-App.

Best regards

Hartmut V.
0 link
Admin
Admin
Administrator
Posts: 4992


25.07.2018
Admin
Admin
Administrator
Posts: 4992
Please replace existing TekRADIUS.exe under TekRADIUS application directory with the one in https://www.kaplansoft.com/tekradius/release/TekRADIUS.exe.zip and send me TekRADIUS log entries after logging in to the HTTP interface.
0 link






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software